[security-announce] Security Update : CVE-2015-2925: Kernel (linux-yocto 3.14 and linux-qoriq 3.12 )

Sona Sarmadi sona.sarmadi at enea.com
Thu Jan 28 08:05:05 CET 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: kernel (linux-yocto 3.14)
Severity: High
CVE Name: CVE-2015-2925
Layer: meta-enea
=========================================================

This security patch fixes a flaw which was found in the way the Linux
kernel's file system implementation handled rename operations in which
the source was inside and the destination was outside of a bind mount.

A privileged user inside a container could use this flaw to escape the
bind mount and, potentially, escalate their privileges on the system.


Description
===========
The prepend_path function in fs/dcache.c in the Linux kernel before
4.2.4 does not properly handle rename actions inside a bind mount,
which allows local users to bypass an intended container protection
mechanism by renaming a directory, related to a "double-chroot attack."

References:
===========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925
http://www.openwall.com/lists/oss-security/2015/04/03/7
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2925
http://www.openwall.com/lists/oss-security/2015/04/04/4

Reference to the upstream fixes:
===============================
vfs: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
commit/?id=397d425dc26da728396e66d392d5dcb8dac30c37

dcache: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/
commit/?id=cde93be45a8a90d8c264c776fab63487b5038a65


Correction for Enea Linux
=========================
http://git.enea.com/cgit/linux/meta-enea.git/patch/?id=859a1735be48a2ff9
60354772832c65b15e3377c


How to get the latest patches
=============================
- - If you have already cloned meta-enea, update it to get new security
patches.

cd Enea-Linux-5.0/poky/meta-enea
git pull

- - If you have not yet cloned needed repositories, do it as described
below. (Security patches are fetched implicitly when cloning the repos).

mkdir Enea-Linux-5.0
git -C Enea-Linux-5.0 clone -b dizzy git://git.enea.com/linux/poky.git
POKY=Enea-Linux-5.0/poky
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-enea.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-fsl-ppc.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/
meta-hierofalcon.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/meta-linaro.git
git -C $POKY clone -b dizzy git://git.enea.com/linux/
meta-openembedded.git
git -C $POKY clone -b dizzy
git://git.enea.com/linux/meta-virtualization.git
git -C $POKY/meta-enea clone -b dizzy
git://git.enea.com/linux/meta-enea/meta-vt.git


If you have any questions regarding the security patches and security
updates please contact security at enea.com.


Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWqb2hAAoJEAilI68fskZd06sH/2EH0UzkW+qk4E3j/B76sika
H3HfhnEgv+/tg0SLxAMuGe3danZDnn7U6XAuaPgafNwzRJBs4t4boLmsbuyGOrsD
gH4MVptNRw/LDdxH4la79CLj94d7UXqolEVDP8XTuEl0Q0SXaByoRNpqBDH18mue
ZIO9PXCXPz9VB18KcI62bQnI0zEo4cN0oKZZ7f/K+hLMN5DDzXiscjm9OZmUsWXx
YNc8gDwosyfIvb+IeI1b1+dH30Ln3KPeFN35oiU8nH37FTe+9pqH5EseN81eu6qE
IrJi/e5+VYZb7+ZuKOSaxizKAiHeOEqYyohP1/c9waDsk4L00UoKqXL3oyM2ROs=
=8wk8
-----END PGP SIGNATURE-----



More information about the security-announce mailing list